rent connections running
> through the bridge. Pflog shows onlu multicast blocked. I've Googled
> for this and read brconfig, pfctl and pf.conf. Any ideas?
Just look at the reason why these multicast packets get blocked in pflog.
I guess they use IP options which you have to explicitely al
D tree?
Someone once send a patch to misc@ for ftp-proxy to run standalone without
inetd. Any plans on merging those changes?
http://marc.theaimsgroup.com/?l=openbsd-misc&m=104387606807393&w=2
http://www.alloyant.com/files/ftp-proxy.tgz
And PR 3011 is still open ;-)
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
f not,
> please explain.
You can also use -z.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
is
applies to rules with return, return-rst, return-icmp, return-icmp6 or
synproxy defined.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
before reaching the destination host. reassemble tcp will
raise the TTL of all packets back up to the highest value
seen on the connection.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Fri, 28 Mar 2003, Dries Schellekens wrote:
> On Fri, 28 Mar 2003, Doros Eracledes wrote:
>
> > Is there a way to make sure that only requests
> > from specific mac address can access my
> > pf protected database server?
> > May be if it's not possible usi
On Fri, 28 Mar 2003, Doros Eracledes wrote:
> Is there a way to make sure that only requests
> from specific mac address can access my
> pf protected database server?
> May be if it's not possible using pf, i could use a level 1 switch?
pf(4) filters at layer 2 (IP) and 3 (TCP, UDP, ...). If you
ress, so that
> > > shouldn't affect things & POP but only from internal hosts.
> >
> > DNS sometimes also uses TCP on port 53 for large packets, so you
> > probably want to allow that as well.
> >
> > David
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 13 Feb 2003, Ryan McBride wrote:
> On Thu, Feb 13, 2003 at 01:54:29AM +0100, Dries Schellekens wrote:
> > Now you have the following syntax
> > rdr on dc0 inet proto tcp from any to 1.2.3.4 port = -> 10.0.0.10 port 22
> > (it used to be ... port 222
-> 10.0.0.10 port <>
11024
rdr on dc0 inet proto tcp from any to 1.2.3.4 port 999 <> 2000 -> 10.0.0.10 port < 1000
(and even more, some of which totally useless ;-))
BTW I find it quite annoying that <> (no including the limits of the
range) isn't the same as : (includes the limits of the range).
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Tue, 11 Feb 2003, Damien Miller wrote:
> Quite possibly the final word on the matter:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084
Daniel finally figured out why they use DF on fragments:
"The missing piece in the puzzle was the fact that certain protocols like
NFS can't spli
DF get drop even if you specify "no-df" as
an option to scrub. Perhaps this should be changed.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 6 Feb 2003, Daniel Hartmeier wrote:
> On Thu, Feb 06, 2003 at 07:05:26PM +0100, Dries Schellekens wrote:
>
> > Does PF protect against the "Crikey CRC Flood" (described in
> > http://www.kb.cert.org/vuls/id/539363)? I know that protection against
> &g
n against
p60-0x0c.txt was add; does this protect against this C2 Flood as well?
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 6 Feb 2003, jolan wrote:
> On Thu, Feb 06, 2003 at 12:33:25AM +0100, Dries Schellekens wrote:
> > * Using a random IPidfield has its own challenges to uniqueness. While
> > linear congruential generators have a maximal cycle length, such
> > generators are easily c
aps in the form of a
scrub option to randomize the IPid field (comparable to TCP state
modulation). Scrub already provides all means of fragment reassembly,
needed to change the IPid of fragments belonging to each other.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On 13 Jan 2003, Jason Dixon wrote:
> I'm trying to interpret a block rule that is showing in my
> pflogd/tcpdump output. The firewall is a bridge that is currently
> blocking all igmp, as well as 224.0.0.0/3 traffic (amongst other
> things). However, neither of these should log. What's particul
s in port > 49151" rule? Of course
this can be solved by using the "pass in user proxy" rule, as I described
above.
I think a lot of misinformation let you to an unnecessary switch to IP
Filter. Next time just mail your problems to appropiate OpenBSD mailing
list ([EMAIL PROTECTED]) or PF mailing list ([EMAIL PROTECTED]).
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
e a number, there is no way to change it back to unlimited except by
rebooting. So there is also no way to set to limit for frags to unlimited.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
#x27;scrub' rules).
-m all Display all maxima, cannot be set.
So I guess the correct syntax would be 'set limit states inf'. Can you try
this?
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
Hey,
Phrack 60 describes a new technique of detecting firewalls using broken
CRC. Interesting reading material.
http://www.phrack.org/phrack/60/p60-0x0c.txt
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
> all. I can connect and authenticate, but I can't get an ls, download,
> upload, etc. Can anyone direct me to a solution for this little quandry
> I have?
Can you show us your pf.conf?
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
Taken from deadly.org
some problems with pf losing state information in
by Timothy Dyck, eWEEK Labs ([EMAIL PROTECTED]) on Monday,
December 09 @04:30AM
One thing people will notice in the pf.conf files is some rules that
explicitly allow reply traffic through the firewall when a "keep state"
para
http://www.deadly.org/commentShow.php3?sid=20021206054031&pid=34
--
Dries Schellekens
email: [EMAIL PROTECTED]
t on gif0 inet6 proto udp from $ipv6_net to any keep state
pass in on gif0 inet6 proto udp from any to $ipv6_net \
port $services_udp keep state
# TCP
pass out on gif0 inet6 proto tcp from $ipv6_net to any flags S/SA keep
state
pass in on gif0 inet6 proto tcp from any to $ipv6_net \
port $services_
e.
> >
> > Well I don't think the above is a good implementation of sticky
> > load balancing because it confines your destination IP addresses
> > to be a single subnet mask range.
> >
> > I did sticky redirection for IPFilter last month, I think, and that
> > implementation does not have this problem. More importantly, the
> > stickiness can be mixed with any other redirection options.
> >
> > If routers use the above for stickiness then said routers suck, IMHO.
> >
> > Darren
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
&& make install (perhaps
first backup the -stable pfctl in /sbin)
As Daniel said, nothing change in pf_norm.c between -stable and -current.
So logic dictates that -current should still crash.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
layer 2).
PF is a packet filter and works at layer 3 (IP) and 4 (TCP, UDP, ...). It
doesn't operate at layer 2.
I think you get the picture. That's why PF is unable to filter AppleTalk,
IPX, ... either.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 21 Nov 2002, Dries Schellekens wrote:
> On Tue, 19 Nov 2002, Daniel Hartmeier wrote:
>
> > /usr/src/sys/net/pf_norm.c
> >
> > --- pf_norm.c.orig Tue Nov 19 12:26:29 2002
> > +++ pf_norm.c Tue Nov 19 12:26:52 2002
> > @@ -835,12 +8
the mailing list. If you
> want that, I can include that in addition to the tcpdump.
In the previous thread (Scrub and Kernel Panics) you didn't provide a
back trace of the full reassembly. Perhaps you can provide a trace of the
crash as well.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
w.openbsd.org, but the reports seem to be read.
To be sure CC the report to [EMAIL PROTECTED] as well; that's what I do.
BTW the crash seems to be unrelated to the pool exhaustion bug. So I guess
it's a different bug.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 14 Nov 2002, Daniel Hartmeier wrote:
> On Thu, Nov 14, 2002 at 10:31:46PM +0100, Dries Schellekens wrote:
>
> > BTW What does this thread do on this mailing list?
>
> http://www.allard.nu/mailman/listinfo/openbsd-ipsec-clients
>
> would be a good alternative.
&r=1&w=2 (ipsec nat
traversal) In this thread someone says he will release code that does
NAT-T.
BTW What does this thread do on this mailing list?
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
irewall if you don't
have a state limit set. And apparantly it's possible to crash it even when
a fragment limit is set.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
ts per rule.
You can also use some predefined optimized scenarios:
* normal
* high-latency
* aggressive
* conservative
OpenBSD 3.0 and 3.1 use pfctl -O.
OpenBSD 3.2 use set optimization.
As said, all this is clearly explained in the man pages.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
t; from $trusted port ! $updservices to any
Negatation of host and port list is not possible.
Why don't you just do
pass in quick on $ext inet proto tcp from $trusted port $tcpservices to any port $safe
keep state
pass in quick on $ext inet proto udp from $trusted port $updservices to any keep state
block in log quick all
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
keep state
Macro names must start with a letter and may contain letters, digits and
underscores. Macro names may not be pf reserved words (e.g. pass, in,
out). Macros are not expanded recursively.
^^^^^^^
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 24 Oct 2002, Dries Schellekens wrote:
> On 24 Oct 2002, Jason Dixon wrote:
>
> > Hi all:
> >
> > I'm not yet a user of PF (currently OBSD 2.9/IPF), but I plan on
> > upgrading to OBSD 3.1/3.2 soon, and migrating my ruleset to PF. I have
> >
w.obfuscation.org/ipf/ipf-howto.html#TOC_53
(the IPFilter syntax is a bit different).
I guess the rule would look like this (not sure it works, though)
pass out on $int_if route-to $dmz_if from any to $webserver
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
er.
What's wrong with labels?
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Thu, 10 Oct 2002, John Bacalle wrote:
> * Dries Schellekens <[EMAIL PROTECTED]> [20021010 10:40]:
> [ pf mailing list /raison d'etre/ ]
> > Perhaps this mailing list should be mentioned on
> > www.openbsd.org/mail.html So that people can email PF specific
> &
ned on www.openbsd.org/mail.html
So that people can email PF specific questions to this list.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
the dis-
play of rules using "ipnat -l", only the internal applica-
tion order.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Wed, 2 Oct 2002, Henning Brauer wrote:
> sorry.
>
> I hate reply-to: to the list address.
Bwa, it's in german. BTW what the heck is "schlammcatchen"? ;-)
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
t, like pfctl does?
> > You can pick the code from pfctl/pf_print_state.c :)
> > And maybe translate the cryptic STATE values (0:1, 4:4), too?
>
> I'm not the author. ;-)
> Please look at the "From".
Please look at the "Cc" in the previous mail by Daniel ;-)
--
Dries Schellekens
email: [EMAIL PROTECTED]
On Wed, 21 Aug 2002, krisna wrote:
> Does PF have a feature to blocking MAC ADDRESS?
No. You can filter MAC addresses with a bridge. Read brconfig(8).
BTW read the archives of [EMAIL PROTECTED] about the uselessness of mac
filtering.
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
46 matches
Mail list logo